Switch to metal-go; Use hostKeyCallback

.env

@@ -1,7 +1,7 @@
 NETWORK_NAME=metal
 NETWORK_SUBNET=10.0.0.0/24
 
-METAL_API_ADDRESS=https://api.metal-pod.dev/metal
+METAL_API_URL=https://api.metal-pod.dev/metal
 
 METAL_CONSOLE_PORT_HOST=2222
 METAL_CONSOLE_PORT=2222

Dockerfile.bmcproxy

@@ -11,4 +11,6 @@ RUN apk add \
 COPY host-key /
 COPY --from=builder /work/bin/bmc-proxy /
 
+RUN chmod 0600 /host-key
+
 CMD ["/bmc-proxy"]

Dockerfile.bmcproxy.dev

@@ -2,10 +2,11 @@ FROM alpine:3.10
 
 LABEL maintainer="FI-TS Devops <[email protected]>"
 
+COPY bin/bmc-proxy host-key /
+
 RUN apk -u add \
     ipmitool \
-    libvirt-client
-
-COPY bin/bmc-proxy host-key /
+    libvirt-client \
+ && chmod 0600 /host-key
 
 CMD ["/bmc-proxy"]

Dockerfile.bmcreverseproxy

@@ -5,3 +5,5 @@ COPY nginx.conf /etc/nginx/
 COPY server.crt /etc/ssl/certs/
 COPY server.key /etc/ssl/private/
 COPY client.crt /etc/nginx/
+
+RUN chmod 0600 /etc/ssl/private/server.key

Dockerfile.console

@@ -7,4 +7,6 @@ LABEL maintainer="FI-TS Devops <[email protected]>"
 COPY host-key ca.crt client.crt client.pem /
 COPY --from=builder /work/bin/metal-console /
 
+RUN chmod 0600 /host-key /client.pem
+
 CMD ["/metal-console"]

Dockerfile.console.dev

@@ -4,4 +4,6 @@ LABEL maintainer="FI-TS Devops <[email protected]>"
 
 COPY bin/metal-console host-key ca.crt client.crt client.pem /
 
+RUN chmod 0600 /host-key /client.pem
+
 CMD ["/metal-console"]

Makefile

@@ -1,11 +1,11 @@
+.PHONY: default
+default: release;
+
 COMMONDIR := $(or ${COMMONDIR},../common)
 
 include $(COMMONDIR)/Makefile.inc
 
-SWAGGERSPEC := metal-api.json
-SWAGGERTARGET := metal-api
-
-release:: generate-client gofmt test bmcproxy console;
+release:: gofmt test bmcproxy console;
 
 bmcproxy:
 	$(GO) build \
@@ -18,11 +18,3 @@ console:
 		-tags netgo \
 		-o bin/metal-console \
 		./cmd/console
-
-.PHONY: clean-target
-clean-target:
-	rm -rf ${SWAGGERTARGET}
-	mkdir ${SWAGGERTARGET}
-
-.PHONY: generate-client
-generate-client: clean-target swaggergenerate;

devBuild.sh

@@ -1,5 +1,7 @@
 #!/usr/bin/env bash
 
+set -e
+
 make bmcproxy
 make console
 docker-compose build

docker-compose.yaml

@@ -48,9 +48,10 @@ services:
     ports:
       - "${METAL_CONSOLE_PORT_HOST}:${METAL_CONSOLE_PORT}"
     volumes:
-      - ./host-key.pub:/host-key.pub
+      - ${HOME}/.ssh/id_rsa.pub:/public-key
     environment:
       METAL_CONSOLE_PORT: ${METAL_CONSOLE_PORT}
-      METAL_CONSOLE_METAL_API_ADDRESS: ${METAL_API_ADDRESS}
+      METAL_CONSOLE_METAL_API_URL: ${METAL_API_URL}
+      METAL_CONSOLE_HMAC_KEY: ytjdBPHvXgc3xfY3e5szLSDB3gajRwefSqvFyFX4
       METAL_CONSOLE_BMC_REVERSE_PROXY_ADDRESS: bmc-reverse-proxy:${BMC_REVERSE_PROXY_PORT}
-      METAL_CONSOLE_PUBLIC_KEY: /host-key.pub
+      METAL_CONSOLE_PUBLIC_KEY: /public-key

go.mod

@@ -5,22 +5,14 @@ require (
 	github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 // indirect
 	github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 // indirect
 	github.com/gliderlabs/ssh v0.2.2
-	github.com/go-openapi/analysis v0.19.4 // indirect
-	github.com/go-openapi/errors v0.19.2
-	github.com/go-openapi/runtime v0.19.4
-	github.com/go-openapi/strfmt v0.19.2
-	github.com/go-openapi/swag v0.19.5
-	github.com/go-openapi/validate v0.19.2
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/kr/pty v1.1.8
-	github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e // indirect
-	github.com/metal-pod/security v0.0.0-20190605103437-319d1b2eca89
+	github.com/metal-pod/metal-go v0.0.0-20190904133716-d7122fdd20c2
 	github.com/pkg/errors v0.8.1
 	go.mongodb.org/mongo-driver v1.1.1 // indirect
 	go.uber.org/atomic v1.4.0 // indirect
 	go.uber.org/zap v1.10.0
 	golang.org/x/crypto v0.0.0-20190829043050-9756ffdc2472
-	golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297 // indirect
 	golang.org/x/sys v0.0.0-20190904154756-749cb33beabd // indirect
 )
 

go.sum

@@ -26,6 +26,8 @@ github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDD
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/emicklei/go-restful v1.1.3/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emicklei/go-restful v2.9.1+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/emicklei/go-restful v2.9.6+incompatible h1:tfrHha8zJ01ywiOEC1miGY8st1/igzWB8OmvPgoYX7w=
+github.com/emicklei/go-restful v2.9.6+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emicklei/go-restful-openapi v0.13.1/go.mod h1:uxPGuEZF2eKgXrVkSXQ2GRvpapckAVjWLqpMKk31PD4=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
@@ -107,12 +109,17 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.0.0 h1:b4Gk+7WdP/d3HZH8EJsZpvV7EtDOgaZLtnaNGIu1adA=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/icza/dyno v0.0.0-20180601094105-0c96289f9585/go.mod h1:FOWDLyFiAsx5UmipjsBYguvps42mgph4nRPwuci95qM=
 github.com/json-iterator/go v1.1.5/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.7 h1:KfgG9LzI+pYjr4xvmz/5H4FXjokeP+rlHLhv3iH62Fo=
+github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8=
 github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
@@ -133,14 +140,20 @@ github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e h1:hB2xlXdHp/pmPZq0y3QnmWAArdw9PqbmotexnWx/FU8=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/metal-pod/metal-go v0.0.0-20190904133716-d7122fdd20c2 h1:1aU8SToetUiSGUW/kKTI0tN9DGauX1QEwTcxVP4/z74=
+github.com/metal-pod/metal-go v0.0.0-20190904133716-d7122fdd20c2/go.mod h1:t27h77pANpArsVodEuJIo4HqmjqgRjTpIDgesABlE7I=
 github.com/metal-pod/security v0.0.0-20190605085245-f3d2eb409950 h1:5Rbtz1UHTXktBc9uxAXk99jd33cir7FBKVeFcZ1Q0T4=
 github.com/metal-pod/security v0.0.0-20190605085245-f3d2eb409950/go.mod h1:BUuL3n1TYvrGlxfUl2L6zrErSkw1NPchimPfcWMSU1k=
 github.com/metal-pod/security v0.0.0-20190605103437-319d1b2eca89 h1:RRVjpKhVGMGoDjadvr0IZWQSPoFvYUp4es7s62zhx8k=
 github.com/metal-pod/security v0.0.0-20190605103437-319d1b2eca89/go.mod h1:BUuL3n1TYvrGlxfUl2L6zrErSkw1NPchimPfcWMSU1k=
 github.com/metal-pod/v v0.0.2/go.mod h1:zfivn9g6ekhIur+pz78MLlOBqUqTk8sWJaFJNaz9OKk=
 github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/nsqio/go-nsq v1.0.7/go.mod h1:XP5zaUs3pqf+Q71EqUJs3HYfBIqfK6G83WQMdNN+Ito=
 github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g=
@@ -157,10 +170,13 @@ github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 go.mongodb.org/mongo-driver v1.0.3 h1:GKoji1ld3tw2aC+GX1wbr/J2fX13yNacEYoJ8Nhr0yU=
 go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
+go.mongodb.org/mongo-driver v1.1.0/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
 go.mongodb.org/mongo-driver v1.1.1 h1:Sq1fR+0c58RME5EoqKdjkiQAmPjmfHlZOoRI6fTUOcs=
 go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
 go.uber.org/atomic v1.3.2 h1:2Oa65PReHzfn29GpvgsYwloV9AVFHPDk8tYxt2c2tr4=

internal/bmcproxy/bmcProxy.go

@@ -2,9 +2,9 @@ package bmcproxy
 
 import (
 	"fmt"
-	"git.f-i-ts.de/cloud-native/metal/metal-console/metal-api/models"
 	"github.com/gliderlabs/ssh"
 	"github.com/kr/pty"
+	"github.com/metal-pod/metal-go/api/models"
 	"github.com/pkg/errors"
 	"go.uber.org/zap"
 	gossh "golang.org/x/crypto/ssh"

internal/console/consoleServer.go

@@ -4,21 +4,12 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
-	"git.f-i-ts.de/cloud-native/metal/metal-console/metal-api/client/machine"
-	"git.f-i-ts.de/cloud-native/metal/metal-console/metal-api/models"
+	metalgo "github.com/metal-pod/metal-go"
 	"io"
 	"io/ioutil"
 	"runtime"
 	"sync"
 
-	rt "github.com/go-openapi/runtime"
-
-	"time"
-
-	"github.com/go-openapi/strfmt"
-
-	"github.com/metal-pod/security"
-
 	"github.com/gliderlabs/ssh"
 	"github.com/pkg/errors"
 	"go.uber.org/zap"
@@ -27,38 +18,24 @@ import (
 
 type consoleServer struct {
 	log           *zap.Logger
-	machineClient *machine.Client
+	machineClient *metalgo.Driver
 	spec          *Specification
 	mutex         sync.RWMutex
 	ips           *sync.Map
-	hmac          security.HMACAuth
-	Auth          rt.ClientAuthInfoWriter
 }
 
 func NewServer(log *zap.Logger, spec *Specification) (*consoleServer, error) {
-	client, err := newMachineClient(spec.MetalAPIURL)
+	client, err := newMachineClient(spec.MetalAPIURL, spec.HMACKey)
 	if err != nil {
 		return nil, err
 	}
-	cs := &consoleServer{
+	return &consoleServer{
 		log:           log,
 		machineClient: client,
 		spec:          spec,
 		ips:           &sync.Map{},
 		mutex:         sync.RWMutex{},
-	}
-	cs.InitHMAC(spec.HMACKey)
-	return cs, nil
-}
-
-func (cs *consoleServer) InitHMAC(hmacKey string) {
-	cs.hmac = security.NewHMACAuth("Metal-Edit", []byte(hmacKey))
-	cs.Auth = rt.ClientAuthInfoWriterFunc(cs.auther)
-}
-
-func (cs *consoleServer) auther(rq rt.ClientRequest, rg strfmt.Registry) error {
-	cs.hmac.AddAuthToClientRequest(rq, time.Now())
-	return nil
+	}, nil
 }
 
 // Run starts ssh server and listen for console connections.
@@ -102,6 +79,10 @@ func (cs *consoleServer) sessionHandler(s ssh.Session) {
 
 	mgmtServiceAddress := m.Partition.Mgmtserviceaddress
 
+	if cs.spec.DevMode() {
+		mgmtServiceAddress = cs.spec.BmcReverseProxyAddress
+	}
+
 	tcpConn := cs.connectToManagementNetwork(mgmtServiceAddress)
 	defer tcpConn.Close()
 
@@ -253,22 +234,10 @@ func (cs *consoleServer) connectToManagementNetwork(mgmtServiceAddress string) *
 }
 
 func (cs *consoleServer) sendIPMIData(sshSession *gossh.Session, machineID, machineIP string) {
-	var metalIPMI *models.V1MachineIPMI
-	if cs.spec.DevMode() {
-		user := "ADMIN" //TODO
-		pw := "ADMIN"
-		metalIPMI = &models.V1MachineIPMI{
-			Address:  &machineIP,
-			User:     &user,
-			Password: &pw,
-		}
-	} else {
-		var err error
-		metalIPMI, err = cs.getIPMIData(machineID)
-		if err != nil {
-			cs.log.Sugar().Fatal("Failed to fetch IPMI data from Metal API", "machineID", machineID, "error", err)
-			runtime.Goexit()
-		}
+	metalIPMI, err := cs.getIPMIData(machineID)
+	if err != nil {
+		cs.log.Sugar().Fatal("Failed to fetch IPMI data from Metal API", "machineID", machineID, "error", err)
+		runtime.Goexit()
 	}
 
 	ipmiData, err := metalIPMI.MarshalBinary()
@@ -284,58 +253,50 @@ func (cs *consoleServer) sendIPMIData(sshSession *gossh.Session, machineID, mach
 	}
 }
 
-func (cs *consoleServer) authHandler(ctx ssh.Context, publickey ssh.PublicKey) bool {
+func (cs *consoleServer) authHandler(ctx ssh.Context, publicKey ssh.PublicKey) bool {
 	machineID := ctx.User()
-	cs.log.Sugar().Info("authHandler", "machineID", machineID, "publickey", publickey)
+	cs.log.Sugar().Info("authHandler", "publicKey", publicKey)
 	knownAuthorizedKeys, err := cs.getAuthorizedKeysForMachine(machineID)
 	if err != nil {
-		cs.log.Sugar().Error("authHandler no authorized_keys found", "machineID", machineID, "error", err)
+		cs.log.Sugar().Error("no authorized keys found", "machineID", machineID, "error", err)
 		return false
 	}
 	for _, key := range knownAuthorizedKeys {
-		cs.log.Sugar().Info("authHandler", "machineID", machineID, "authorized_key", key)
-		same := ssh.KeysEqual(publickey, key)
+		cs.log.Sugar().Info("authHandler", "machineID", machineID, "authorizedKey", key)
+		same := ssh.KeysEqual(publicKey, key)
 		if same {
 			return true
 		}
 	}
-	cs.log.Sugar().Warn("authHandler no matching authorized_key found", "machineID", machineID)
+	cs.log.Sugar().Warn("no matching authorized key found", "machineID", machineID)
 	return false
 }
 
 func (cs *consoleServer) getAuthorizedKeysForMachine(machineID string) ([]ssh.PublicKey, error) {
-	var m *models.V1MachineResponse
+	resp, err := cs.getMachine(machineID)
+	if err != nil {
+		cs.log.Sugar().Error("unable to fetch requested machine", "machineID", machineID, "error", err)
+		return nil, err
+	}
+	if resp == nil {
+		cs.log.Sugar().Error("requested machine is nil", "machineID", machineID)
+		return nil, err
+	}
+
 	if cs.spec.DevMode() {
 		bb, err := ioutil.ReadFile(cs.spec.PublicKey)
 		if err != nil {
 			cs.log.Sugar().Error("unable to read public key", "file", cs.spec.PublicKey)
 			return nil, err
 		}
-		private := true
-		m = &models.V1MachineResponse{
-			Allocation: &models.V1MachineAllocation{
-				Networks: []*models.V1MachineNetwork{{Private: &private, Ips: []string{machineID}}},
-				SSHPubKeys: []string{
-					string(bb),
-				},
-			},
-		}
-	} else {
-		var err error
-		m, err = cs.getMachine(machineID)
-		if err != nil {
-			cs.log.Sugar().Error("unable to fetch requested machine", "machineID", machineID, "error", err)
-			return nil, err
-		}
-		if m == nil {
-			cs.log.Sugar().Error("requested machine is nil", "machineID", machineID)
-			return nil, err
+		resp.Allocation.SSHPubKeys = []string{
+			string(bb),
 		}
 	}
 
 	privateIP := ""
-	if m.Allocation != nil {
-		for _, nw := range m.Allocation.Networks {
+	if resp.Allocation != nil {
+		for _, nw := range resp.Allocation.Networks {
 			if *nw.Private {
 				if len(nw.Ips) > 0 {
 					privateIP = nw.Ips[0]
@@ -345,12 +306,12 @@ func (cs *consoleServer) getAuthorizedKeysForMachine(machineID string) ([]ssh.Pu
 		}
 	}
 	if privateIP == "" {
-		return nil, fmt.Errorf("unable to detect primary IP of machine:%s", machineID)
+		return nil, fmt.Errorf("unable to detect private IP of machine:%s", machineID)
 	}
 	cs.ips.Store(machineID, privateIP)
 
 	var pubKeys []ssh.PublicKey
-	for _, key := range m.Allocation.SSHPubKeys {
+	for _, key := range resp.Allocation.SSHPubKeys {
 		pubKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(key))
 		if err != nil {
 			return nil, errors.Wrap(err, "error parsing public key")